Skip to content

Instantly share code, notes, and snippets.

@dduportal
Last active April 1, 2019 07:35
Show Gist options
  • Save dduportal/13874113cf5fa1d0901655e3367c31e5 to your computer and use it in GitHub Desktop.
Save dduportal/13874113cf5fa1d0901655e3367c31e5 to your computer and use it in GitHub Desktop.
Q & A Online Meetup: Back to Traefik 2.0 - Gigawatts of Routing Power

Q & A Online Meetup: Back to Traefik 2.0 - Gigawatts of Routing Power


Question: Will the slides be available after the webinar?

Answer: Yes, a link will be provided on our blog at https://blog.containo.us/back-to-traefik-2-0-the-online-meet-up-4e4b6411fbfa


Question: With the current version of Traefik, you can’t use the same lets encrypt certificate on multiple ports. Will this be fixed in 2.0?

Answer: V2.0 uses the routers to configure certificates, and as a direct consequence, it will be possible to have the same let’s encrypt certificate on multiple ports.


Question: Is there an ETA for K8s provider support?

Answer: Kubernetes Provider Support is already in 2.0, but only the HTTP part, for both "classic Ingress" and the new CRDs. TCP part is one of the next steps, but no ETA yet (soon).


Question: It looks like the new IngressRoute CRD will ease setup of canary routes (where multiple services with uneven weight), is that correct?

Answer: Yes totally. Please note that you can already setup canary routes with service weight with the current Traefik 1.7 version: "Traffic Splitting".


Question: How I can manage the east/west and north/south traffic with Traefik (as Edge Router) and EnvoyProxy (as Sidecar)?.

Answer: Assuming this topology happens in Kubernetes, installing both Traefik and EnvoyProxy as Ingress Controller is not an issue, as Kubernetes allows multiple ingress controller to be installer. It allows to use the right tool for the right job at any moment.


Question: Will the old language be kept for backwards compatibility?

Answer: No, it wont be kept. However they are plan to provide migration tools.


Question: Why is watching the docker daemon like that bad? that is in every traefik+docker how-to I have ever seen

Answer: Exposing the docker daemon trough a unix socket (bind-mount) or through tcp "as-it" allows Traefik a full-access. So any incoming request, from the outside, able to breakout Traefik or its container would be able to gain full access to Docker, and transitively a full root access to the underlying machine. Please check Traefik’s Documentation to learn more about this, and to find security compensations.


Question: Will it be possible to have Traefik automatically manage LetsEncrypt certificates which are stored as a k8s secret?

Answer: It is already possible today with both 1.7 and 2.0 to use predefined Kubernetes secrets for providing certificates to Traefik. But it is not possible to store Traefik’s automated certificates into a Kubernetes secret (and there are no plans for it) .


Question: Can custom middlewares be created?

Answer: Yes totally! Raise your voice by opening issues describing your use case, and do not hesitate to contribute!


Question: Is it possible to run traefik as an Ingress Controller outside a kubernetes cluster, in a separate instance for example?

Answer: No, as Kubernetes needs to be aware of the presence of an Ingress Controller to allow API objects to be created. You could trick by declaring the Controller manually after setuping Traefik outside and giving it access to the Kubernetes API. However you would lose all the facilities provided by Kubernetes (while Traefik inside Kubernetes could alkso use another provider). If you are searching for an external LB for Kubernetes, you might want to look at https://metallb.universe.tf .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment